b"   Office of Inspector General\n\n\n\n\n   IT Capital\n  Investment\nDecision-Making\n    Follow-up\n     March 29, 2004\n      Audit No. 365\n\x0c\x0c    IT CAPITAL INVESTMENT\n  DECISION-MAKING FOLLOW-UP\n\n\n                    EXECUTIVE SUMMARY\nEffective capital investment in information technology (IT) is critical to the\nachievement of Commission program goals and objectives. The processes used to\nmake IT investment decisions throughout the federal government have been the\nsubject of critical Congressional oversight and audits by the General Accounting\nOffice (GAO). In 2001 our Office conducted a Business Process Review of\nCommission IT investment decision-making. This report describes our follow-up\naudit findings and recommendations concerning the current state of the\nCommission's IT investment decision-making process.\nThe Commission has made progress in establishing an IT investment process that\ncomplies with applicable laws and regulations, and incorporates best practices from\nthe public and private sectors. Notably, the Commission's Information Officers\nCouncil has devoted significant time and effort to improving the decision-making\nprocess; we commend the members for their dedication.\nHowever, the Commission\xe2\x80\x99s process still does not meet the minimum criteria of\nGAO\xe2\x80\x99s Information Technology Investment Management Maturity Model and is not\nin full compliance with applicable laws and regulations. IT investment decision-\nmaking remains a \xe2\x80\x9csignificant problem\xe2\x80\x9d for the Commission.\nThe governance of this critical Commission function needs to be strengthened. The\nCommission needs to assign specific responsibility, and delegate appropriate\nauthority, for establishing a compliant and effective decision-making process. To\nensure that the necessary changes are completed timely, the Commission should\nalso implement a performance accountability process.\nManagement agreed with the audit findings and recommendations.\n\n\n\n                 SCOPE AND OBJECTIVES\nOur audit objective was to evaluate the Commission\xe2\x80\x99s progress in implementing IT\ncapital investment control and decision-making best practices, and to follow-up on\nour prior review (IT Decision-Making Process, Report No. 334, dated August 28,\n2001). We conducted this review to:\n   \xe2\x80\xa2   Ensure that IT investments selected by the Commission effectively supported\n       Commission programs;\n\x0c                                                                                  Page 2\n\n\n       \xe2\x80\xa2   Assess and re-evaluate the effectiveness and implementation of audit\n           recommendations made in our FY 2001 IT decision-making business process\n           review;\n       \xe2\x80\xa2   Evaluate the adequacy of the Commission\xe2\x80\x99s IT governance processes for\n           managing the material growth in its IT capital budget; and,\n       \xe2\x80\xa2   Validate the Commission\xe2\x80\x99s compliance with the IT capital planning and\n           investment control mandates of the Clinger-Cohen Act.\n\nTo evaluate compliance with the Clinger-Cohen Act, we applied the General\nAccounting Office\xe2\x80\x99s IT Investment Management Framework for Assessing and\nImproving Process Maturity.1\nDuring the audit, we used questionnaires, applied judgmental sampling, and\nconducted control self-assessments to obtain a general understanding of the\nCommission\xe2\x80\x99s IT investment decision-making framework and to solicit input on how\nthe Commission could improve its IT investment decision-making management\nprocesses and controls. We also performed a review of the applicability of the\nClinger-Cohen Act and OMB implementing instructions to the Commission. Among\nother procedures, we:\n       \xe2\x80\xa2   Reviewed the Commission\xe2\x80\x99s approved and draft IT capital planning and\n           investment control policies, procedures, and implementing instructions;\n       \xe2\x80\xa2   Obtained documentation and an understanding of how responsibility,\n           accountability, and authority were assigned and communicated within the\n           Commission\xe2\x80\x99s IT investment management process;\n       \xe2\x80\xa2   Obtained and reviewed in-house studies on capital planning and project\n           management;\n       \xe2\x80\xa2   Obtained and reviewed minutes and charters for the Commission\xe2\x80\x99s\n           Information Officers Council and IT Capital Planning Committee;\n       \xe2\x80\xa2   Observed Information Officers Council proceedings and meetings;\n       \xe2\x80\xa2   Obtained and reviewed the Commission\xe2\x80\x99s FY 2003 and FY 2004 information\n           technology budgets and execution plans;\n       \xe2\x80\xa2   Obtained and reviewed the Commission\xe2\x80\x99s FY 2003 IT investment portfolio;\n       \xe2\x80\xa2   Reviewed quarterly IT investment status reports; and\n       \xe2\x80\xa2   Reviewed IT project request and project analysis forms (business cases) used\n           for FY 2003 IT capital investment decisions.\n\nWe performed our audit between November 2002 and December 2003, in accordance\nwith generally accepted government auditing standards.\n\n\n\n                                       BACKGROUND\nThe Commission\xe2\x80\x99s annual information technology (IT) operating budget has grown\nsignificantly since 2001, when it totaled about $45 million. For FY 2004, the IT\noperating budget will exceed $120 million.\n\n\n1\n    See http://www.gao.gov/special.pubs/ai10123.pdf\n\n       IT Capital Investment Decision-Making Follow-Up (Audit 365)    March 29, 2004\n\x0c                                                                                Page 3\n\n\nIn our 2001 review of the IT Decision-Making Process, we proposed a structured\nprocess for developing IT proposals and evaluating, prioritizing, and recommending\nIT investments for funding approval. During the review, initial minimal evaluation\ncriteria were developed, based on a survey of laws and regulations applicable to\nfederal IT capital investment decisions. The review also identified a group decision-\nmaking methodology to enhance IT decisions.\n\n\nMAJOR PARTICIPANTS\n\nInformation Officers Council (IOC)\nIn July 2001, the Commission revised its IT capital investment decision-making\nprocess based on our business process review recommendations, and established an\nenhanced organizational control structure. The IOC was formed and tasked with:\n   \xe2\x80\xa2   Developing IT investment selection decision criteria;\n   \xe2\x80\xa2   Developing and documenting the Commission\xe2\x80\x99s IT selection process;\n   \xe2\x80\xa2   Coordinating program office IT business strategies within and among the\n       program areas;\n   \xe2\x80\xa2   Developing functional requirements and justifications (business cases) for IT\n       investments;\n   \xe2\x80\xa2   Evaluating and prioritizing proposed IT investments; and\n   \xe2\x80\xa2   Recommending investments to the Information Technology Capital Planning\n       Committee (ITCPC) for funding.\n\nThe IOC, chaired by the Commission\xe2\x80\x99s CIO, consists of senior staff from the major\nprogram divisions and offices (Information Officers) who are familiar with both the\nbusiness and IT needs of their organizations. IOC members demonstrated a strong\nappreciation and understanding of the importance of their role in evaluating\nwhether proposed IT investments would improve the Commission\xe2\x80\x99s mission\nperformance. For example, in 2003, the IOC dedicated a significant amount of time\nto review and validate the risks, benefits, and costs for about 70 IT investment\nproposals submitted by the Commission\xe2\x80\x99s divisions and program offices for funding\nconsideration. Although the IOC did not always maintain a documented audit trail\nor use explicit selection criteria to support its IT investment funding\nrecommendations to the ITCPC, IOC members indicated that they generally applied\nthe IT investment selection principles and evaluation methods mandated by the\nClinger-Cohen Act. The IOC members devoted considerable time and effort to\nimproving the IT investment decision-making process; we commend the members for\ntheir dedication.\nWe believe that the Commission can significantly improve its IT capital investment\ndecision-making processes and controls by: continuing to leverage the personal and\nprofessional dedication of the information officers, capitalizing on their\nunderstanding of the business use of IT within the Commission, and implementing\nthe recommendations contained in this report.\n\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)      March 29, 2004\n\x0c                                                                                         Page 4\n\n\nInformation Technology Capital Planning Committee (ITCPC)\nThe Commission established the ITCPC to make final IT investment funding\ndecisions, based on IOC recommendations and policy direction from the Chairman.\nMembership consists primarily of division directors and program office heads; the\nExecutive Director (ED) chairs the Committee. For FY 2003, the IOC and ITCPC\nselected, prioritized, and approved about $21 million in IT initiatives.\n\nOffice of the Executive Director (OED)\nUnder the revised organizational structure, the OED was responsible for chairing\nthe ITCPC and establishing controls to:\n    \xe2\x80\xa2    Reject project requests that did not comply with the Commission\xe2\x80\x99s\n         documented IT investment selection and evaluation criteria;\n    \xe2\x80\xa2    Stop IT projects that were over budget, off schedule, lacked timely program\n         decisions and data, or missed performance expectations; and\n    \xe2\x80\xa2    Provide administrative support to the IOC and ITCPC.\n\nThe Office is also responsible for developing the Commission's overall strategic plan\nand formulating the Commission's annual budgets. In addition, it oversees the\nadministrative functions of the Commission, including financial management,\nhuman resources, contracting, and administrative services.\n\nOffice of Information Technology (OIT)\nWithin the revised structure, OIT provided project management support,\nCommission-wide IT operations, and maintenance support. OIT management\nselects, prioritizes, and approves operations, maintenance, and infrastructure\nupgrades and enhancements for the Commission.\nOIT\xe2\x80\x99s FY 2003 operating budget totaled about $68 million, excluding about $21\nmillion in program office IT initiatives. The OIT operating budget was managed\nseparately by OIT, and was not subject to review, analysis, and approval by the\nCommission\xe2\x80\x99s IOC and ITCPC.\n\n\nRELEVANT LEGISLATIVE MANDATES, EXECUTIVE ORDERS,\nAND FEDERAL POLICIES\nThe Clinger-Cohen Act (CCA) of 1996 (Division E of Public Law 104-106)2, Executive\nOrder 13011, Federal Information Technology3, OMB Circular A-130, Management\nof Federal Information Resources4, and OMB Circular A-11, Part 7- Planning,\nBudgeting, Acquisition, and Management of Capital Assets5 establish a\n\n2\n  See http://lcweb2.loc.gov/law/usa/us040106.pdf (pages 495 - 519)\n3\n  See http://www.cio.gov/documents/federal_it_jul_1996.html\n4\n  See http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html\n5\n  See http://www.whitehouse.gov/omb/circulars/a11/current_year/s53.pdf and\n   http://www.whitehouse.gov/omb/circulars/a11/current_year/part7.pdf\n\n    IT Capital Investment Decision-Making Follow-Up (Audit 365)              March 29, 2004\n\x0c                                                                                 Page 5\n\n\ncomprehensive framework for the management of information resources within the\nFederal government. The Commission is to establish an IT governance framework\nthat implements and enforces the Chairman\xe2\x80\x99s responsibilities to:\n   \xe2\x80\xa2   Appoint a Chief Information Officer (CIO), as required by 44 U.S.C. 3506,\n       who must report directly to the Chairman to carry out the responsibilities of\n       the Paperwork Reduction Act, Clinger-Cohen Act, and Executive Order\n       13011;\n   \xe2\x80\xa2   Empower the CIO with sufficient authority to ensure that the Commission\n       effectively (i) complies with the legislative IT capital planning and\n       investment control mandates of Congress; (ii) implements the IT governance\n       policies mandated by executive order; and, (iii) establishes internal controls\n       that enforce Commission-specific policies that implement and comply with\n       government-wide IT capital planning and investment control policies issued\n       by the Office of Management and Budget (OMB);\n   \xe2\x80\xa2   Ensure that program directors and office heads (program officials) are\n       responsible for and held accountable in defining program information needs\n       and developing information technology (IT) business strategies that define\n       how they intend to use the capabilities of information technology to directly\n       support their strategic missions;\n   \xe2\x80\xa2   Foster measurable IT investment decisions that support the Commission\xe2\x80\x99s\n       mission needs through the use of integrated IT analysis, planning, budgeting\n       and evaluation processes;\n   \xe2\x80\xa2   Establish mission-based performance measures for IT investments that are\n       aligned with Commission performance plans prepared pursuant to the\n       Government Performance and Results Act of 1993 (Public Law 103-620); and,\n   \xe2\x80\xa2   Implement management processes that assign responsibilities and assign\n       clear lines of accountability for managing, selecting, controlling, evaluating,\n       and terminating IT investments.\n\n\nBEST PRACTICES \xe2\x80\x93 IT INVESTMENT DECISIONS\nSection 5122, Capital Planning and Investment Control, of the Clinger-Cohen Act\ndefines the design and content of capital planning and investment control processes\nthat agency heads are to implement. The Chairman is responsible for the\nCommission\xe2\x80\x99s implementation of an IT capital planning and investment control\nprocess. This process should establish an enforceable framework that accounts for\nthe improved operational and performance efficiencies that the Commission will\nachieve from the use of taxpayer dollars to acquire information technology.\nSpecifically, the process is to:\n   \xe2\x80\xa2   Provide an auditable framework for the selection, management, and\n       evaluation of IT investments;\n   \xe2\x80\xa2   Integrate the Commission\xe2\x80\x99s processes for making IT budget, financial, and\n       program management decisions;\n   \xe2\x80\xa2   Include documented qualitative and quantitative investment selection,\n       management, and evaluation criteria for comparing and prioritizing IT\n       investments; and,\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)      March 29, 2004\n\x0c                                                                                                            Page 6\n\n\n      \xe2\x80\xa2    Provide the means for obtaining timely information regarding the progress of\n           an investment, including system milestones for measuring progress, on an\n           independently verifiable basis.\n\nIn addition, the Commission is to use performance and results-based management in\nthe governance of its investments in information technology.\n\n\nIT INVESTMENT MANAGEMENT MATURITY MODEL\nThe figure below illustrates the five maturity stages of IT investment management.\n\n\n\n                      MATURITY STAGES                          CRITICAL PROCESSES\n\n                            STAGE 5               9 INVESTMENT PROCESS BENCHMARKING\n                          LEVERAGING IT           9 IT-DRIVEN STRATEGIC BUSINESS CHANGE\n                     FOR STRATEGIC OUTCOMES\n                                                  9 POST IMPLEMENTATION REVIEW S AND FEEDBACK\n                                                  9 PORTFOLIO PERFORMANCE EVALUATION AND\n                            STAGE 4                 IMPROVEMENT\n                          IMPROVING THE           9 SYSTEMS AND TECHNOLOGY SUCCESSIONS\n                       INVESTMENT PROCESS           MANAGEMENT\n\n                                                  9   AUTHORITY ALIGNMENT OF IT INVESTMENT BOARDS\n                            STAGE 3               9   PORTFOLIO SELECTION CRITERIA DEFINITION\n                      DEVELOPING A COMPLETE       9   INVESTMENT ANALYSIS\n                       INVESTMENT PORTFOLIO       9   PORTFOLIO DEVELOPMENT\n                                                  9   PORTFOLIO PERFORMANCE OVERSIGHT\n\n                            STAGE 2               9   IT INVESTMENT BOARD OPERATION\n                           BUILDING THE           9   IT PROJECT OVERSIGHT\n                      INVESTMENT FOUNDATION       9   IT ASSET TRACKING\n                                                  9   BUSINESS IDENTIFICATION FOR IT PROJECTS\n                                                  9   PROPOSAL SELECTION\n                            STAGE 1\n                             CREATING\n                                                  9 IT SPENDING W ITHOUT DISCIPLINED INVESTMENT\n                      INVESTMENT AWARENESS\n                                                    PROCESSES\n\n\n\n\nEach stage builds upon the lower stages and enhances an organization\xe2\x80\x99s ability to\nmanage its IT investments. IT investment management maturity indicative of a\nStage 1 organization is characterized as:\n      \xe2\x80\xa2    Being ad hoc, unstructured, unpredictable, and not having widely shared and\n           institutionalized investment and development processes;\n      \xe2\x80\xa2    Having unpredictable project outcomes, which are not focused on the\n           investment\xe2\x80\x99s business benefits; and\n      \xe2\x80\xa2    Having a selection process that is rudimentary, poorly documented, and at\n           times inconsistent.\n\nOrganizations are generally assumed to initially have Stage 1 IT investment\nmanagement maturity.6\n\n\n\n\n6\n    Source: http://www.gao.gov/special.pubs/ai10123.pdf GAO maturity framework for assessing information\n     technology investment management processes and practices of Federal agencies (See pages 7-12 of\n     hyperlink for details on the characteristics and practices associated with each maturity stage).\n\n      IT Capital Investment Decision-Making Follow-Up (Audit 365)                               March 29, 2004\n\x0c                                                                                                                                    Page 7\n\n\n\n                                                         AUDIT RESULTS\nThe graphs below illustrate our benchmarking of the Commission\xe2\x80\x99s IT capital\ninvestment decision-making process against GAO\xe2\x80\x99s Stage 2 best practices for\nselecting, controlling, and evaluating IT investments in accordance with the\nfundamental IT governance mandates of the Clinger-Cohen Act.\n\n\n\n\n                                                                             Implementation of Best Practices by Component\nStatus of 39 Best Practices\n                                                                                     66%\n\n                          46%                                                                                                          53%\n                                                  41%                                                   46%    46%\n                                                                                     6                                         35%\n                                                                                                                                       9\n                             18                                                22%\n     13%                                              16                                                  6     6               6\n                                                                                 2            11% 8%                    12%\n      5\n                                                                                              1   1                       2\n\n                                                                                 COMMITMENT            PREREQUISITES          ACTIVITIES\n                             Legend                                                (Policy)              (Resources)          (Outcomes)\n\n\n      Stage 2 best practices in place, operating, clearly understood and\n      followed.\n\n      Stage 2 best practices are somewhat in place. Expected outcomes are\n      some what defined, understood and followed.\n\n      Stage 2 best practices not in place and operating. Expected outcomes\n      are not defined nor are they clearly understood.\n\n\n\n\nAs illustrated above, the Commission has made progress in establishing and\nimplementing Stage 2 IT investment selection, control, and evaluation best\npractices.7 Among other positive steps, the Commission has:\n              \xe2\x80\xa2       Established an Information Officers Council and Information Technology\n                      Capital Planning Committee to review and approve IT investments;\n              \xe2\x80\xa2       Used a process to develop new IT investment proposals; and\n              \xe2\x80\xa2       Made funding decisions for new IT proposals using an IT investment\n                      selection process.\n\nHowever, in our opinion, the Commission does not yet qualify for stage 2.\nThe Commission could significantly improve the governance of its $120 million FY\n2004 IT investment portfolio, which is comprised of ongoing operations and planned\n\n7\n    Appendix A contains a detail listing of the 39 best practices by performance component. See\n     http://www.gao.gov/special.pubs/ai10123.pdf for details on GAO\xe2\x80\x99s best practices framework.\n\n      IT Capital Investment Decision-Making Follow-Up (Audit 365)                                                   March 29, 2004\n\x0c                                                                              Page 8\n\n\nmaintenance, development, modernization, and enhancement projects and\ninitiatives by:\n      \xe2\x80\xa2   Appointing a full time Chief Information Officer (CIO) reporting to the\n          Chairman and delegating to the CIO sufficient authority to enforce the IT\n          capital planning and investment control mandates of the Clinger-Cohen\n          Act;\n      \xe2\x80\xa2   Developing, approving, publishing, and enforcing formal Commission-\n          wide IT capital planning and investment control policies and procedures;\n      \xe2\x80\xa2   Establishing clearly defined roles, responsibilities, and boundaries of\n          authority and accountability for the Commission\xe2\x80\x99s IT investment review\n          and approval committees and program offices;\n      \xe2\x80\xa2   Implementing auditable processes for selecting and approving IT\n          investments;\n      \xe2\x80\xa2   Establishing effective investment control processes that provide adequate\n          visibility over IT investment life-cycle costs and project schedules;\n      \xe2\x80\xa2   Implementing an IT investment evaluation process for evaluating\n          whether IT investments where completed within cost, on schedule, and\n          produced the operational outcomes expected from the investments; and\n      \xe2\x80\xa2   Providing adequate resources and guidance to staff to effectively\n          implement and enforce fundamental IT investment controls and\n          processes.\n\nAppendix B contains an example of a high-level IT investment process flow diagram\nfor selecting and managing IT investments, and evaluating IT investment decision-\nmaking outcomes. The sample process flow diagram provides a possible approach\nthe Commission could adopt to strengthen its internal management control\nstructure and IT governance processes to comply with, and enforce the IT\ninvestment selection, control, and evaluation best practices mandated by the\nClinger-Cohen Act.\nBelow, we discuss in more detail the specific IT investment control and decision-\nmaking business process improvements that the Commission needs to address to\nmove to Stage 2 of the Information Technology Investment Management Maturity\nModel.\n\n\nCHIEF INFORMATION OFFICER\nThe Commission\xe2\x80\x99s previous Chief Information Officer (CIO) did not have sufficient\nauthority to effectively administer, control, implement and enforce the IT capital\nplanning and investment control responsibilities mandated by the Clinger-Cohen\nAct. In addition, the Commission\xe2\x80\x99s CIO position remained vacant from October 2002\nto January 2004.\nUnder the previous structure, the CIO did not report to the Chairman as required by\nthe Clinger-Cohen Act. Instead, the CIO was under the operational control of, and\n\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)    March 29, 2004\n\x0c                                                                                                   Page 9\n\n\nreported to the Commission\xe2\x80\x99s Executive Director.8 As a result, the CIO was not\norganizationally positioned to objectively lead, guide, and enforce the fundamental\nIT governance processes required of the CIO position. In addition, the CIO\xe2\x80\x99s\nauthority to enforce the principles of IT capital investment decision-making and\ncontrol was not defined.\nIn January 2004, the Chairman appointed a Chief Information Officer. Under the\ncurrent structure, the CIO reports to the Chairman and is the chair of the IOC.\nHowever, the roles, responsibilities, authorities, and span of control of the CIO, and\nmembers of the Commission\xe2\x80\x99s Information Officers Council (IOC) and Information\nTechnology Capital Planning Committee (ITCPC) have not yet been documented,\napproved (see next finding), or communicated.\n\n          Recommendation A\n          The Chairman should delegate to the CIO the necessary authority to issue\n          and enforce Commission-wide IT policy and regulations, and to implement\n          the recommendations in this report.\n\nThe Chairman\xe2\x80\x99s Office has indicated that these authorities have been operationally\ndelegated to the CIO.\n\n          Recommendation B\n          The CIO, in conjunction with the Offices of the General Counsel and\n          Executive Director, should prepare an Action Memorandum to the\n          Commission to modify 17 CFR \xc2\xa7 200.13 to formally delegate authority to\n          issue IT policies and regulations to the CIO. They should also consider\n          whether the delegation for telecommunications policy authority should be\n          modified.\n\n          Recommendation C\n          Within 60 days of the date of this report, the Chairman should approve a\n          process to track the CIO\xe2\x80\x99s progress in implementing each of the\n          recommendations in this report. Appendix C contains an example of an\n          implementation schedule that could be used or incorporated into other\n          management reporting systems (e.g., the dashboard reports).\n\n\n\nCAPITAL PLANNING AND INVESTMENT CONTROL POLICIES\nWhile the Commission has taken steps to implement the IT capital planning and\ninvestment control best practices mandated by the Clinger-Cohen Act, essential\nplans, policies, guidance, and controls were either not developed, remain under\n\n\n8\n    Day-to-day management of the Commission\xe2\x80\x99s financial management, procurement activities, human\n    resources management, and information technology operations is under the operational control and\n    direction of the Executive Director, who reports to the Chairman.\n\n      IT Capital Investment Decision-Making Follow-Up (Audit 365)                   March 29, 2004\n\x0c                                                                                                     Page 10\n\n\ndevelopment, or are awaiting approval from the Office of the Executive Director\n(OED). For example:\n      \xe2\x80\xa2    The Office of Information Technology\xe2\x80\x99s Strategic Information Technology\n           Plan, which establishes the strategic direction for IT capital planning and\n           tactical operations within the Commission, remained in draft until October\n           2003;\n      \xe2\x80\xa2    The Commission\xe2\x80\x99s IT Capital Planning and Investment Control policy, which\n           establishes Commission-wide policy on the responsibilities for planning,\n           selecting, budgeting, allocating, managing, controlling, and evaluating\n           information resources, remains in draft since June 2002; and\n      \xe2\x80\xa2    The Commission\xe2\x80\x99s proposed capital planning and investment control process\n           detail was never formally approved and adopted by the Commission\xe2\x80\x99s ITCPC.\n\nIn addition, the Commission\xe2\x80\x99s IOC and ITCPC operated without formally approved\nand documented charters that clearly defined the IT governance roles,\nresponsibilities, procedures, criteria, and processes that they were to follow and\napply when evaluating the merits of proposed IT investments, and when making\nfinal IT investment decisions. We also identified several IT planning-related work\ngroups and committees that operated without charters, and that were not aligned\nand fully integrated into the Commission\xe2\x80\x99s IT capital planning and investment\ncontrol management framework. These work-groups and committees include the\nEDGAR9 Steering Committee; EDGAR Requirements Sub-committee; External\nDatabase Committee; and Web Advisory Committee. We are also aware of at least\none \xe2\x80\x9cno cost\xe2\x80\x9d IT contract (with estimated annual expenditures of $5 million to $6\nmillion) that did not go through the Commission's IT investment process.\nWe conclude that the absence of clearly defined and formally approved IT\ngovernance policies, criteria, and procedures has resulted in an IT capital planning\nand investment control management framework that is (i) undisciplined, (ii) subject\nto broad interpretation and application by Commission executives, managers, and\nstaff and (iii) lacks auditable and enforceable standards and controls. The\ngovernance over this important Commission function needs to be strengthened.\n\n           Recommendation D\n           The CIO should assess, revise as appropriate, and reissue a Commission-wide\n           Information Technology Strategic Plan that addresses the IT business needs\n           of the Commission\xe2\x80\x99s divisions and program offices.\n\n           Recommendation E\n           The CIO, in coordination with OED, the IOC, and the ITCPC, should finalize\n           and publish a Commission-wide IT capital planning and investment control\n           process policy.\n\n\n\n9\n    The Commission\xe2\x80\x99s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system receives, stores\n     and distributes electronic filings submitted to the Commission in accordance with securities laws and\n     rules.\n\n      IT Capital Investment Decision-Making Follow-Up (Audit 365)                      March 29, 2004\n\x0c                                                                                                        Page 11\n\n\n         Recommendation F\n         The OED and CIO, in coordination with the ITCPC, should jointly develop,\n         approve, and publish a charter for the ITCPC.\n\n         Recommendation G\n         The CIO, in coordination with the IOC and OED, should develop, approve,\n         and publish a charter for the IOC.\n\n         Recommendation H\n         The CIO should identify all IT planning-related work groups and integrate\n         them into the Commission\xe2\x80\x99s IT capital planning and investment control\n         (CPIC) process. All so-called \xe2\x80\x9cno-cost\xe2\x80\x9d IT contracts should also be considered\n         for inclusion in the IT investment process.\n\n\nPROCESS FOR SELECTING IT INVESTMENTS\nWe determined that some of the recommendations made in our FY 2001 IT decision-\nmaking business process review for selecting IT investments were not fully\nimplemented. For example:\n     \xe2\x80\xa2   The Commission\xe2\x80\x99s process and control structure for selecting IT investments\n         was not formally documented;\n     \xe2\x80\xa2   Criteria for selecting, prioritizing, and recommending IT investments for\n         funding to the ITCPC were not formally approved, documented, and used to\n         validate and approve the risks, benefits, and costs of proposed IT\n         investments;10\n     \xe2\x80\xa2   Commission program offices did not publish and disseminate IT business\n         strategies on how they planned to use IT to attain their mission goals and\n         objectives; and\n     \xe2\x80\xa2   Business cases, as required by OMB Circular A-11, were not always\n         prepared.11\n\nIn addition, about $68 million of the Commission\xe2\x80\x99s $89 million FY 2003 IT operating\nbudget was not under the purview of the Commission\xe2\x80\x99s IOC and ITCPC. This\nsignificant portion of the Commission\xe2\x80\x99s IT investment portfolio was managed\n\n\n\n10\n   Members of the Information Officers Council told us that they (i) informally considered the Commission\xe2\x80\x99s\n   strategic goals and objectives for all major and non-major IT investments; (ii) informally considered\n   government-wide objectives in detail for all major investments; (iii) informally considered all requirements\n   outlined in the Clinger-Cohen Act and other Acts, as warranted; (iv) informally considered security\n   requirements for all projects; (v) vigorously questioned alternative investment solutions for all projects;\n   and (vi) obtained assistance in evaluating the managerial and technical risks of project proposals.\n11\n   See http://www.whitehouse.gov/omb/circulars/a11/current_year/s53.pdf and\n   http://www.whitehouse.gov/omb/circulars/a11/current_year/part7.pdf for Exhibit 53 and Exhibit 300 business\n   case requirements. The Commission requires all IT investments of $25,000 or more to go through the IT\n   capital planning process. However, the Commission has not formally identified or approved levels of\n   business case detail for varying IT investment cost thresholds.\n\n     IT Capital Investment Decision-Making Follow-Up (Audit 365)                         March 29, 2004\n\x0c                                                                                                    Page 12\n\n\nseparately by the Office of Information Technology (OIT). OIT selected, prioritized,\nand managed these IT investments using a separate process internal to OIT.12\nWe could not validate the reasonableness of the Commission\xe2\x80\x99s basis to select,\nprioritize, recommend, and approve IT investments for funding because\ndocumentation was not maintained to support how proposed investments were\nevaluated, prioritized, and selected for funding. In addition, we could not obtain\ndocumentation to support which investment selection criteria were used, and\nwhether the evaluation criteria were consistently applied to validate and evaluate\nthe benefits, risks, and investment alternatives for about 70 IT investment\nproposals. Also, we could not verify and validate whether the selection and approval\ncriteria applied within OIT were consistent with the criteria and ranking factors\nused by the IOC. As a result, we could not validate the basis used by the\nCommission to support its selection, prioritization, recommendations, and approval\nto fund IT investments included in the Commission\xe2\x80\x99s $89 million FY 2003 IT\noperating budget.\nWe conclude that the Commission could strengthen its IT selection process by\nformally developing, approving, publishing, and enforcing a management control\nstructure for selecting IT investments similar to the sample management control\nstructure illustrated in Appendix D. In addition, Section 300 of OMB Circular A-11\n(see Appendix G) is a useful resource to identify relevant selection criteria for\nadoption by the Commission.\n\n           Recommendation I\n           The CIO, in coordination with the ITCPC, IOC, OED, and the Office of\n           Financial Management (OFM), should establish, approve, publish, and use a\n           single Commission-wide IT investment control process and structure to\n           develop the Commission\xe2\x80\x99s annual IT operating budget, and to select,\n           prioritize, and fund all IT investments (e.g., all $89 million of the FY 2003 IT\n           budget).\n\n           Recommendation J\n           The CIO, in coordination with the ITCPC and IOC, should establish, approve,\n           and publish standard IT investment evaluation criteria to guide business\n           case development and evaluation.\n\n           Recommendation K\n           The CIO, in coordination with the ITCPC and IOC, should establish,\n           implement, and follow a documented process for scoring, prioritizing, and\n           funding IT investments based on business case and project justification\n           analyses.\n\n\n\n\n12\n     The $86 million was comprised of ongoing operations and maintenance, and application and infrastructure\n     upgrades and enhancements to existing systems and infrastructure.\n\n       IT Capital Investment Decision-Making Follow-Up (Audit 365)                    March 29, 2004\n\x0c                                                                               Page 13\n\n\n       Recommendation L\n       The CIO, in coordination with the ITCPC and IOC, should establish, approve,\n       and publish Commission-wide policy on the IT investment dollar thresholds\n       that require business cases or some less comprehensive analysis.\n\n       Recommendation M\n       The CIO, in coordination with the ITCPC and IOC, should establish and\n       publish business case development guidelines that comply with OMB policy\n       and guidelines.\n\n       Recommendation N\n       The CIO, in coordination with the ITCPC and IOC, should annually solicit\n       business strategy input from Commission program offices on how the\n       program offices plan to use IT to improve their mission performance.\n\n       Recommendation O\n       The CIO, ITCPC, and IOC should establish a process for using the program\n       office IT business strategies and the OIT strategic IT plan in their review,\n       analysis, approval, and monitoring of the Commission\xe2\x80\x99s IT investment\n       portfolio.\n\n\nPROCESS FOR CONTROLLING IT INVESTMENTS\nOur review of the Commission\xe2\x80\x99s controls for managing approved IT investments\nshowed that adequate controls were not established to proactively oversee and\nidentify whether IT project management activities were effective in:\n   \xe2\x80\xa2   Controlling IT project costs;\n   \xe2\x80\xa2   Meeting project schedules and milestones; and\n   \xe2\x80\xa2   Attaining established performance expectations.\n\nAs a result, we conclude that the Commission did not implement an effective IT\ninvestment control process that enforced the use of meaningful IT investment cost,\nschedule, and performance variance analyses to help guide its project management\nactivities and decisional outcomes. We also conclude that the Commission did not\nestablish an effective problem identification analysis process to help pinpoint,\nunderstand, and correct problem areas within the Commission\xe2\x80\x99s IT project\nmanagement structure.\nAppendix E provides an illustrative example of how the Commission might\nstrengthen its management control structure and oversight processes in its\nmanagement of IT investment costs, schedules, and performance outcomes.\n\nProject Status Reviews\nThe Commission\xe2\x80\x99s IT project management oversight process did not require the IOC\nand ITCPC to perform periodic IT portfolio reviews and project management\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)     March 29, 2004\n\x0c                                                                               Page 14\n\n\nassessments of the Commission\xe2\x80\x99s $89 million FY 2003 IT operating budget. OIT\nmanagement performed these critical Commission-wide IT governance oversight\nresponsibilities internally, and on a periodic basis.\nOIT management used project status reports and periodic program management\nreviews to monitor its internal project management activities. These periodic\nreviews served as the Commission\xe2\x80\x99s primary basis to flag whether project\nmanagement activities were effective in attaining cost, schedule, and IT investment\nexpectations. However, the project management status reports did not contain\nsufficient detail to identify cost, schedule, and performance variances between actual\nand approved IT budgets, time schedules, and performance expectations.\nFor example, for the FY 2003 project status reports that we reviewed, and for the\nOIT program management reviews that we attended, we found that:\n   \xe2\x80\xa2   Controls for identifying variances in the use of approved IT funds consisted of\n       reporting actual expenditures against approved funding levels (also referred\n       to as burn rates, or cost/spend comparisons); and\n   \xe2\x80\xa2   Controls for identifying whether IT projects were on schedule consisted of\n       reporting the beginning and ending dates of a project\xe2\x80\x99s life-cycle stage\n       (baseline dates were not presented to inform reviewers on how actual project\n       management accomplishments exceeded, met, or fell short of approved\n       project schedule expectations).\n\nIn addition, we determined that funds approved by the ITCPC for specific\ninvestments were reprogrammed to other projects without prior review and approval\nof the IOC or ITCPC.\n\n       Recommendation P\n       The CIO, in coordination with OED, should establish, publish and use\n       controls for managing project costs and schedules and measuring IT\n       investment performance outcomes.\n\n       Recommendation Q\n       The CIO, in coordination with the ITCPC, IOC, and OED, should establish\n       procedures for disseminating and regularly reviewing IT project milestones\n       for IT investment costs, schedules, and performance expectations approved\n       by the ITCPC.\n\nPrior Audit Findings\nOur audit of Information Technology Project Management (Audit Report No. 337,\ndated January 24, 2002) reported our concerns about the effectiveness of the\nCommission\xe2\x80\x99s controls to manage the costs, schedules, and performance outcomes of\nfunded information technology projects. Specifically, we reported that the\nCommission needed to:\n   \xe2\x80\xa2   Establish standard project review board procedures and controls that\n       enforced OIT\xe2\x80\x99s internal project management policies and procedures;\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)      March 29, 2004\n\x0c                                                                                Page 15\n\n\n   \xe2\x80\xa2   Implement an automated project management information system to capture\n       project costs and schedules in sufficient detail to facilitate performance-based\n       acquisition analyses;\n   \xe2\x80\xa2   Provide information to management and staff to effectively track, monitor,\n       and report the status of IT investments; and\n   \xe2\x80\xa2   Implement a project management reporting system that was integrated with\n       the Commission\xe2\x80\x99s financial management system.\n\nMany of the recommendations agreed to by Commission management in our prior\naudit have not been implemented.\n\n       Recommendation R\n       The CIO should implement the project management recommendations\n       contained in Audit Report No. 337. Implementation should be tracked using\n       the system described in Recommendation C.\n\n\nPROCESS FOR EVALUATING IT INVESTMENT PERFORMANCE\nThe Commission did not implement effective management controls and processes\nthat enforced the use of post-implementation reviews and evaluations of completed\nIT projects to identify best practices and potential control weaknesses. In addition,\nthe Commission did not effectively implement and enforce the capital planning and\ninvestment control aspects of its approved Enterprise Architecture (EA) policy.\nAs a result, the Commission did not have a formal and disciplined method to\npinpoint significant management and operational control weaknesses in its\ngovernance of information technology, or an effective basis to identify best practices\nthat could improve its IT capital planning and investment control processes.\n\nPost-Implementation Reviews\nThe Commission did not perform post-implementation reviews on completed IT\nprojects to validate estimated benefits and costs, and to document effective\nmanagement practices. For example:\n   \xe2\x80\xa2   The Office of Information Technology did not conduct routine post-\n       implementation reviews to identify best practices that could be applied to\n       future IT acquisitions and project management activities; and\n   \xe2\x80\xa2   The Information Officer\xe2\x80\x99s Council and IT Capital Planning Committee did not\n       perform systematic post-implementation reviews to identify best practice\n       trends that could improve the selection, control, and management of IT\n       investments.\n\nWe also determined that the Office of the Executive Director (OED) did not fully\nimplement several of the recommendations made in our FY 2001 business process\nreview. Specifically, controls were not established for:\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)       March 29, 2004\n\x0c                                                                                Page 16\n\n\n   \xe2\x80\xa2   Rejecting project requests that did not comply with the Commission\xe2\x80\x99s\n       approved and documented IT investment selection and evaluation criteria;\n       and\n   \xe2\x80\xa2   Stopping IT projects that were over budget, off schedule, lacked timely\n       program decisions and data, or deviated from established performance\n       expectations.\n\nWe conclude that the Commission could strengthen this component of its IT capital\nplanning and investment control process by implementing a post-implementation\nreview and analysis process similar to the process illustrated in Appendix F.\nFor example, the CIO could establish a program management oversight office that is\nresponsible for evaluating and enforcing IT capital planning and investment control\npolicies and procedures. Specifically, the CIO should establish controls and\nprocedures for:\n   \xe2\x80\xa2   Checking business cases for compliance with Commission guidance and\n       criteria before submission to the IOC. These compliance checks and\n       evaluations should include making sure that:\n\n              \xe2\x88\x92   Mandatory standard selection criteria are addressed;\n              \xe2\x88\x92   The project is appropriately divided into segments (allowing go/no\n                  go decisions);\n              \xe2\x88\x92   Performance expectations are clearly defined;\n              \xe2\x88\x92   Costs are explicitly stated; and\n              \xe2\x88\x92   Costs, performance, and deliverables are explicitly scheduled.\n\n   \xe2\x80\xa2   Monitoring the performance, deliverables, and cost of each project and\n       preparing and disseminating monthly reports.\n\nIn addition, the OED could ensure that the Commission\xe2\x80\x99s IT strategic planning\nefforts support the Commission\xe2\x80\x99s strategic plan and annual performance plans\nprepared pursuant to the Government Performance and Results Act (GPRA). The\nOED could also help evaluate IT capital planning and investment control policies\nand procedures. For example, upon completion of each project the OED could:\n   \xe2\x80\xa2   Evaluate how well the capital investment process served the Commission;\n   \xe2\x80\xa2   Identify improvements that would assist the Commission on future projects;\n       and\n   \xe2\x80\xa2   Issue timely evaluation reports to the Chairman, CIO, ITCPC, IOC, and OIT.\n\n       Recommendation S\n       The CIO should establish procedures and controls for checking IT investment\n       proposals and business cases for compliance with Commission guidance and\n       criteria before submission to the IOC.\n\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)     March 29, 2004\n\x0c                                                                              Page 17\n\n\n       Recommendation T\n       The CIO should establish procedures and controls for monitoring the\n       performance, deliverables, and cost of each project and preparing and\n       disseminating monthly reports to the Chairman, CIO, ITCPC, and IOC.\n\n       Recommendation U\n       The OED should establish procedures and controls for linking the\n       Commission\xe2\x80\x99s IT strategic planning efforts to the Commission\xe2\x80\x99s strategic plan\n       prepared pursuant to the Government Performance and Results Act (GPRA).\n\n       Recommendation V\n       The OED should establish procedures and controls for evaluating how well\n       the Commission\xe2\x80\x99s IT capital planning and investment control (CPIC) process\n       serves the Commission and identifying improvements that would assist the\n       Commission on future projects.\n\n\nEnterprise Architecture\nThe Commission needs to fully integrate its EA framework into the Commission\xe2\x80\x99s IT\ncapital planning and investment control processes. The Commission also needs to\nuse the EA framework to inform, guide, and manage IT investment decisions.\nSECR 24-1.6, Information Technology Enterprise Architecture, dated November 25,\n2002 sets forth Commission policy and responsibilities for implementing,\nmaintaining, and using an enterprise architecture framework for IT capital planning\nand investment decision-making within the Commission. Responsibilities of\nDivision Directors and Office Heads, the Information Officers Council, and\nInformation Technology Capital Planning Committee include:\n   \xe2\x80\xa2   Taking ownership of the EA, and establishing its priority for the Commission;\n   \xe2\x80\xa2   Conducting regular project reviews to monitor on-going IT project compliance\n       with the EA;\n   \xe2\x80\xa2   Releasing an official version of the current and target architectures prior to\n       annual review of the Commission\xe2\x80\x99s IT portfolio;\n   \xe2\x80\xa2   Providing strategic direction for the development of the Commission\xe2\x80\x99s EA,\n       and reviewing and approving changes to the EA;\n   \xe2\x80\xa2   Using the EA to evaluate major technology investments and to make final\n       funding decisions on the Commission\xe2\x80\x99s IT investment portfolio;\n   \xe2\x80\xa2   Monitoring progress toward stated EA project goals; and\n   \xe2\x80\xa2   Evaluating IT investment results using the Commission\xe2\x80\x99s EA framework.\n\nOur audit showed that many of the EA responsibilities listed above were not given\nsufficient priority, nor were Commission executives, managers, and staff held\naccountable for implementing their respective EA responsibilities within the\nCommission\xe2\x80\x99s IT capital planning and investment control management framework.\nAs a result, the Commission has made little progress in implementing the EA\nmandates of the Clinger-Cohen Act, and complying with Federal policy contained in\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)     March 29, 2004\n\x0c                                                                                                      Page 18\n\n\nOMB Circular A-130. The Clinger-Cohen Act and OMB Circular A-130, require\nexecutive branch agencies to develop, maintain, and facilitate the implementation of\na sound and integrated information technology architecture within their respective\nagency.13\n\n         Recommendation W\n         The CIO should enforce Commission policy to integrate the Commission\xe2\x80\x99s\n         Enterprise Architecture into the Commission\xe2\x80\x99s IT capital planning, IT\n         decision-making, and IT investment control and evaluation processes.\n\n\nSTAFFING AND RESOURCES\nA common theme brought to our attention by the IOC, ITCPC, and OIT was the\nneed for the Commission to identify performance and resource gaps, and to allocate\nsufficient resources, (e.g., funds, support staff, and contractor support) to help them\neffectively implement and comply with the IT investment management control and\ndecision-making best practices discussed throughout this report. During our audit,\nwe identified several resource gaps that we believe impaired the Commission\xe2\x80\x99s\ncapability to implement an effective and enforceable IT governance framework. For\nexample:\n     \xe2\x80\xa2   The Commission\xe2\x80\x99s Chief Information Officer position had been vacant for 15-\n         months;14\n     \xe2\x80\xa2   The Office of Information Technology (OIT) had 32 vacant positions out of a\n         total of 128 authorized positions, as of January 2004;15\n     \xe2\x80\xa2   Information Officers performed their IT governance responsibilities as an\n         additional duty to their primary program area responsibilities; 16\n     \xe2\x80\xa2   OIT staff responsible for facilitating the operation and management of the\n         Commission\xe2\x80\x99s IT capital investment decision-making processes were also\n         performing duties associated with the positions vacant within OIT;\n     \xe2\x80\xa2   The Commission\xe2\x80\x99s enterprise architecture function was staffed with a single\n         individual; and\n     \xe2\x80\xa2   The Commission\xe2\x80\x99s IT capital planning and investment control Management\n         Information System (MIS) consisted of spreadsheets, word files, and other\n         documents that were manually maintained and posted to a shared drive on\n         the Commission\xe2\x80\x99s network.\n\nIn addition, Information Officers told us that the Commission\xe2\x80\x99s existing IT\ngovernance framework and process demanded an inordinate amount of their time to\nperform their perceived IT governance responsibilities. Information Officers also\n\n13\n   On October 8, 2003, we initiated an audit of the Commission\xe2\x80\x99s enterprise architecture (EA). The audit will,\n   in part, evaluate the Commission\xe2\x80\x99s EA management processes, components, and migration strategy.\n14\n   On January 14, 2004, the SEC announced that the CIO position had been filled.\n15\n   We were told that hiring for the vacant positions within OIT was put on hold until the Commission filled the\n   vacant CIO position.\n16\n   We think it critical that business experts serve as information officers and realize that their primary\n   responsibilities should be related to Commission programs.\n\n     IT Capital Investment Decision-Making Follow-Up (Audit 365)                       March 29, 2004\n\x0c                                                                             Page 19\n\n\nexpressed concern about whether they could effectively perform their primary\nprogram area management responsibilities should the Commission require them to\nperform additional IT capital planning and investment control duties and functions.\nWe conclude that the Commission should address whether the resources that it has\nidentified and applied to support and implement its IT capital planning and\ninvestment control decision-making framework and process are adequate for\nimplementing the mandates of the Clinger-Cohen Act. Doing so would help the\nCommission ensure that it effectively implements a compliant IT capital planning\nand investment control process that establishes and enforces accountability in how\nthe Commission uses taxpayer dollars to improve operational performance and\nattains efficiencies in its acquisition and use of information technology.\n\n      Recommendation X\n      The CIO should solicit input from OIT and the IOC, ITCPC, OED, and\n      Commission divisions and program offices to identify IT capital planning and\n      investment control performance and resource gaps.\n\n      Recommendation Y\n      Based on the analysis and validation of the data and information received\n      from implementing Recommendation X, the CIO and responsible officials\n      should request sufficient resources to fill the documented performance and\n      resource gaps.\n\n\nIn implementing Recommendations X and Y, the CIO and the ED should make sure\nthat the IOC and the ITCPC are provided adequate support staff and resources to\nhelp them perform their CPIC responsibilities.\n\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)    March 29, 2004\n\x0c                                                                                                                                                                                                   Page 20\n\n\n\n\n                                                                                                                                                                        APPENDIX A\n\n              STAGE 2 PERFORMANCE BY BEST PRACTICE COMPONENT\n\n          C O M M IT M E N T (P o lic ie s )                   R A T IN G        P R E R E Q U IS IT E S (R e s o u rc e s )           R A T IN G             A C T IV IT IE S (O u tc o m e s )                 R A T IN G\n\n\nS E C e xe c u tiv e s a n d lin e m a n a g e rs                           A n In fo rm a tio n T e c h n o lo g y                                 T h e S E C u s e s a s tru c tu re d p ro c e s s to\ns u p p o rt a n d c a rry o u t IT in v e s tm e n t                       in v e s tm e n t c o m m itte e is o p e ra tin g .                    d e ve lo p n e w IT p ro p o s a ls .\nc o m m itte e d e c is io n s .\nS E C e xe c u tive s a n d m a n a g e rs fo llo w                         C o m m itte e m e m b e rs u n d e rs ta n d th e                      S E C e xe c u tive s m a k e fu n d in g\na n e s ta b lis h e d s e le c tio n p ro c e s s .                        in v e s tm e n t c o m m itte e \xe2\x80\x99s p o lic ie s a n d                  d e c is io n s fo r n e w IT p ro p o s a ls\n                                                                            p ro c e d u re s      and        e xh ib it     c o re                 a c c o rd in g to a n e s ta b lis h e d p ro c e s s .\n                                                                            c o m p e te n c ie s in u s in g th e in ve s tm e n t\n                                                                            a p p ro a c h via tra in in g , e d u c a tio n , o r\n                                                                            e xp e rie n c e .\nA S E C -s p e c ific IT in v e s tm e n t p ro c e s s                     A d e q u a te re s o u rc e s a re p ro vid e d fo r                   T h e S E C \xe2\x80\x99s IT a s s e t in v e n to ry is\ng u id e h a s b e e n c re a te d to d ire c t e a c h                     o p e ra tin g yo u r IT in ve s tm e n t                               d e ve lo p e d a n d m a in ta in e d a c c o rd in g\nIT c o m m itte e \xe2\x80\x99s o p e ra tio n s .                                     c o m m itte e .                                                        to a w ritte n p ro c e d u re .\n\nT h e S E C h a s w ritte n p o lic ie s a n d                              A d e q u a te re s o u rc e s a re p ro vid e d fo r                   IT a s s e t in v e n to ry c h a n g e s a re\np ro c e d u re s fo r p ro je c t m a n a g e m e n t.                     p e rfo rm in g th e IT a s s e t tra c k in g                          m a in ta in e d a c c o rd in g to a w ritte n\n                                                                            a c tivitie s .                                                         p ro c e d u re .\nT h e S E C h a s w ritte n p o lic ie s a n d                              T h e S E C h a s d e fin e d its b u s in e s s                        In ve s tm e n t in fo rm a tio n is a v a ila b le o n\np ro c e d u re s fo r m a n a g in g a n d                                 n e e d s o r s ta te d its m is s io n g o a ls .                      d e m a n d to d e c is io n -m a k e rs a n d o th e r\no ve rs e e in g IT p ro je c ts .                                                                                                                  a ffe c te d p a rtie s .\nT h e S E C h a s w ritte n p o lic ie s a n d                              A d e q u a te re s o u rc e s a re p ro vid e d fo r                   S p e c ific S E C u s e rs a re id e n tifie d fo r\np ro c e d u re s fo r d e ve lo p in g a n d                               id e n tify in g b u s in e s s n e e d s a n d                         e a c h IT p ro je c t.\nm a in ta in in g a n IT a s s e t in v e n to ry .                         a s s o c ia te d u s e rs .\nA n o ffic ia l is a s s ig n e d re s p o n s ib ility fo r                A d e q u a te re s o u rc e s a re p ro vid e d fo r                   Id e n tifie d u s e rs p a rtic ip a te in p ro je c t\nm a n a g in g th e IT a s s e t tra c k in g                               p ro p o s a l s e le c tio n a c tivitie s .                           m a n a g e m e n t th ro u g h o u t a p ro je c t\xe2\x80\x99s life\np ro c e s s .                                                                                                                                      c yc le .\nT h e S E C h a s w ritte n p o lic ie s a n d                              A d e q u a te re s o u rc e s a re p ro vid e d to                     S E C e xe c u tive s a n a ly ze a n d p rio ritize\np ro c e d u re s fo r id e n tify in g th e b u s in e s s                 a s s is t th e c o m m itte e (s ) in o v e rs e e in g                n e w IT p ro p o s a ls a c c o rd in g to\nn e e d s a n d th e a s s o c ia te d u s e rs o f                         IT p ro je c ts .                                                       e s ta b lis h e d s e le c tio n c rite ria .\ne a c h IT p ro je c t.\nA n o ffic ia l is d e s ig n a te d to m a n a g e th e                    E a c h IT p ro je c t h a s a n d m a in ta in s a n                   E a c h S E C IT in ve s tm e n t c o m m itte e is\nIT s e le c tio n p ro c e s s .                                            a p p ro v e d p ro je c t m a n a g e m e n t p la n                   c re a te d a n d d e fin e d s o th a t c o m m itte e\n                                                                            th a t in c lu d e s c o s t a n d       s c h e d u le                 m e m b e rs h ip in te g ra te s b o th IT a n d\n                                                                            c o n tro ls .                                                          b u s in e s s k n o w le d g e .\n                                                                            T h e IT in v e s tm e n t c o m m itte e u s e s                       S E C IT in v e s tm e n t c o m m itte e s\n                                                                            in fo rm a tio n fro m th e IT a s s e t in v e n to ry                 o p e ra te a c c o rd in g to w ritte n p o lic ie s\n                                                                            a s a p p lic a b le .                                                  a n d p ro c e d u re s c o n ta in e d in th e S E C \xe2\x80\x99s\n                                                                                                                                                    IT in ve s tm e n t p ro c e s s g u id e .\n\n                                                                            A n IT in ve s tm e n t c o m m itte e e xis ts a n d                   E a c h p ro je c t\xe2\x80\x99s u p -to -d a te c o s t a n d\n                                                                            o v e rs e e s     th e   d e v e lo p m e n t  and                     s c h e d u le d a ta a re p ro vid e d to th e\n                                                                            m a in te n a n c e o f IT a s s e t tra c k in g                       a p p ro p ria te IT in v e s tm e n t c o m m itte e .\n                                                                            a c tivitie s .\n                                                                            IT s ta ff a re tra in e d in S E C \xe2\x80\x99s b u s in e s s                   U s in g e s ta b lis h e d c rite ria , th e IT\n                                                                            n e e d s id e n tific a tio n .                                        in ve s tm e n t c o m m itte e o v e rs e e s e a c h\n                                                                                                                                                    IT p ro je c t\xe2\x80\x99s p e rfo rm a n c e re g u la rly b y\n                                                                                                                                                    c o m p a rin g a c tu a l c o s t a n d s c h e d u le\n                                                                                                                                                    d a ta to e xp e c ta tio n s .\n                                                                            A ll IT p ro je c ts a re id e n tifie d in th e IT                     T h e IT in ve s tm e n t c o m m itte e p e rfo rm s\n                                                                            a s s e t in v e n to ry.                                               s p e c ia l re vie w s o f p ro je c ts th a t h a v e\n                                                                                                                                                    n o t m e t p re d e te rm in e d p e rfo rm a n c e\n                                                                                                                                                    s ta n d a rd s .\n\n\n                                                                                                                                                    A p p ro p ria te c o rre c tiv e a c tio n s fo r e a c h\n                                                                                                                                                    u n d e r p e rfo rm in g p ro je c t a re d e fin e d ,\n                        G R E E N : S ta g e 2 B e s t P ra c tic e s in p la c e ,                                                                 d o c u m e n te d , a n d a g re e d to b y th e IT\n                        o p e ra tin g , c le a rly u n d e rs to o d a n d fo llo w e d .                                                          in ve s tm e n t c o m m itte e a n d p ro je c t\n                                                                                                                                                    m a n a g e r.\n                        Y E L L O W : S ta g e 2 B e s t P ra c tic e s a re s o m e -                                                              C o rre c tiv e a c tio n s a re im p le m e n te d\n                        w h a t in p la c e a n d o p e ra tin g . E x p e c te d o u t-                                                            a n d tra c k e d u n til th e d e s ire d o u tc o m e\n                        c o m e s a re s o m e -w h a t d e fin e d , u n d e rs to o d ,                                                           is a c h ie v e d .\n                        a n d fo llo w e d .                                                                                                        H is to ric a l IT a s s e t in ve n to ry re c o rd s\n                                                                                                                                                    a re m a in ta in e d a n d u s e d fo r fu tu re\n                        R E D : S ta g e 2 B e s t P ra c tic e s n o t in p la c e a n d                                                           s e le c tio n s a n d a s s e s s m e n ts .\n                        o p e ra tin g . E x p e c te d o u tc o m e s a re n o t d e fin e d\n                        n o r a re th e y c le a rly u n d e rs to o d .                                                                            T h e b u s in e s s n e e d s fo r e a c h IT p ro je c t\n                                                                                                                                                    a re c le a rly id e n tifie d a n d d e fin e d .\n\n\n\n\n                 IT Capital Investment Decision-Making Follow-Up (Audit 365)                                                                                         March 29, 2004\n\x0c                                                                                                                           Page 21\n\n\n\n                                                                                                              APPENDIX B\n\n    HIGH-LEVEL IT INVESTMENT PROCESS FLOW DIAGRAM\n\nThe IT capital planning and investment management process flow diagram below\nillustrates an example of the high-level documents, decisions, and processes that the\nCommission could implement to improve its IT investment management controls\nand processes. It assumes that the Commission\xe2\x80\x99s IOC and ITCPC exercise total\nvisibility over the Commission\xe2\x80\x99s entire information technology portfolio. It is based\non the premise that the Commission\xe2\x80\x99s IT Strategic Implementation Plan aligns with\nthe strategic goals and objectives contained in the Commission\xe2\x80\x99s Strategic Plan, as\nsupported by division and program office specific IT business strategies.\n\nThe processes below also provide an example of who within the Commission should\nbe held accountable for implementing and enforcing specific components of IT\ncapital planning and investment decision-making. The Commission could use a\ncomparable process flow diagram to help develop and validate existing and needed\nIT capital planning and investment management policies and control procedures.\n\n\n              Example of High-level Controls\n              and Processes\n                                                                            CIO/\n              SEC     DIV/OFF             CIO               OIT          CONTRACTOR        IOC/OED           ITCPC\n\n                                                          IT Strategic\n             GPRA                                       Implementation                                  NO\n                     Business\n                                                              Plan\n                     Strategies                    NO\n                                                                                              Meet\n                                                                          Business           Criteria\n                                                                           Cases\n                                                                                          YES\n                                        Prepare\n                                        Business        Infrastructure\n                     Program\n                                         Case               Project\n                      Project                                                             Validate\n                                                          Requests\n                     Requests                                                                 &\n                                                                                          Prioritize                 NO\n                                  YES\n\n\n\n                                                                                            List\n                                                                                             to                Approve\n                                                                                          ITCPC\n\n                                                                                                                     YES\n\n\n                                                            Project                          Post\n                                                          Management                    Implementation\n                                                           & Monitor                        Review\n\n\n\n\n                                                            ITCPC         Exceptions   CHAIRMAN\n                                                           PROCESS\n\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)                                               March 29, 2004\n\x0c                                                                                Page 22\n\n\n\n                                                                      APPENDIX C\n\n           SAMPLE TIMELINE FOR IMPLEMENTING AUDIT\n                     RECOMMENDATIONS\n\n\n\nSample timelines for implementing the audit recommendations in this report are\nillustrated on the following pages of this Appendix. The tables provide an example\nof how the Chairman could monitor and track the Commission\xe2\x80\x99s progress in\nimplementing audit recommendations that will move the Commission into Stage 2\ninvestment management maturity.\nSeveral software products are available (e.g., Microsoft Project) that could be used to\nautomate and analyze the Commission\xe2\x80\x99s progress in implementing these audit\nrecommendations. Also, the sample timelines illustrated on the following pages\ncould be integrated into the Chairman\xe2\x80\x99s Dash Board performance reporting system.\nWe present several sample timeline views that could be useful in accounting for the\ntimely performance:\n   \xe2\x80\xa2   A comprehensive view of all audit recommendations by responsible position,\n       applicable audit report number and pages, and categorization of the\n       recommendations by major IT investment areas;\n   \xe2\x80\xa2   Chairman specific audit recommendations;\n   \xe2\x80\xa2   CIO specific audit recommendations; and\n   \xe2\x80\xa2   OED specific audit recommendations.\n\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)       March 29, 2004\n\x0c                                                                                                                                          Page 23\n\n\n\n\n      COMPREHENSIVE VIEW OF ALL AUDIT RECOMMENDATIONS\n                 BY RESPONSIBLE POSITION\n\n\n               APPLICABLE       RECOMMEND-\nRESPONSIBLE                                    RECOMMENDATION TITLE BY MAJOR                      SAMPLE TIMELINE FOR IMPLEMENTING AUDIT\n               REPORT No.          ATION\n  POSITION                                                AREA                                              RECOMMENDATIONS\n               AND PAGE(S)        LETTER\n\n                                                                                                      FY 2004                     FY 2005\n                                                                                               Jan-Mar Apr-Jun Jul-Sep Oct-Dec Jan-Mar Apr-Jun Jul-Sep\n                                             CIO Responsibilities\n                                             Delegate authority to CIO to issue IT policy\nChairman      #365, pp. 8-9         A        and regulations and to implement\n                                             recommendations contained in this report\n                                             Approve a process to track CIO progress in\nChairman      #365, pp. 8-9         C\n                                             implementing audit recommendations\n                                             IT Governance Policies\n                                             Prepare Action Memorandum to modify CFR\nCIO           #365, pp. 8-9         B        to formally delegate authority to issue\n                                             policies/regulations to CIO\nCIO           #365, pp 9-10         D        Assess, revise, and reissue IT Strategic Plan\n\n                                             Finalize and publish Commission-wide IT\nCIO           #365, pp 9-10         E\n                                             capital planning and investment control policy\n                                             Jointly develop, approve, and publish ITCPC\nCIO           #365, pp 9-11         F\n                                             charter with OED and ITCPC\n                                             Jointly develop, approve, and publish IOC\nCIO           #365, pp 9-11         G\n                                             charter with the IOC and OED\n                                             Identify all IT planning-related work groups,\nCIO           #365, pp 9-11         H        develop charters, and integrate into IT capital\n                                             planning framework\n                                             IT Investment Selection Process\n                                             Use a single IT investment control process for\nCIO           #365, pp. 11-12       I        approving the Commission's annual IT\n                                             operating budget\n                                             Approve and publish standard IT investment\nCIO           #365, pp. 11-12       J\n                                             selection criteria\n\n                                             Implement and use a documented process to\nCIO           #365, pp. 11-12       K\n                                             score, prioritize, and fund IT investments\n\n                                             Establish and publish IT investment dollar\nCIO           #365, pp. 11-13       L        thresholds requiring business cases, IOC\n                                             review, and ITCPC approval\n                                             Establish and publish business case\nCIO           #365, pp. 11-13       M\n                                             development guidelines\n                                             Develop, publish, and annually update\nCIO           #365, pp. 11-13       N\n                                             program office IT business strategies\n                                             Use program office IT business strategies and\n                                             OIT IT strategic plan when reviewing,\nCIO           #365, pp. 11-13       O\n                                             analyzing, and monitoring IT investment\n                                             portfolio\n                                             IT Investment Control Process\n                                             Establish and use controls for managing\nCIO           #365, pp. 13-14       P        project costs, schedules, and performance\n                                             outcomes\n                                             Regularly review IT project costs and\nCIO           #365, pp. 13-14       Q\n                                             milestones\n                                             Implement the project management\nCIO           #365, pp. 13-15       R        recommendations contained in Audit Report                       See B, E, F, G, H, I below\n                                             No. 337 (see below)\n\n                                             Establish and publish project SDLC migration\nCIO           #337, p. 6            B        checklists and use the checklists as a control\n                                             during project management reviews\n\n                                             Establish a project management SECR and\nCIO           #337, p. 8            E\n                                             enforce the project management procedures\n\n                                             Establish standardized project naming\n                                             conventions, data descriptions, and data\nCIO           #337, p. 9            F\n                                             collection methods to facilitate effective\n                                             project management tracking\n\n\n\n\n      IT Capital Investment Decision-Making Follow-Up (Audit 365)                                                   March 29, 2004\n\x0c                                                                                                                                        Page 24\n\n\n\n      COMPREHENSIVE VIEW OF ALL AUDIT RECOMMENDATIONS\n                 BY RESPONSIBLE POSITION\n\n                                                                                                  SAMPLE TIMELINE FOR IMPLEMENTING AUDIT\n               APPLICABLE       RECOMMEND-                                                                  RECOMMENDATIONS\nRESPONSIBLE                                    RECOMMENDATION TITLE BY MAJOR\n               REPORT No.          ATION\n  POSITION                                                AREA                                        FY 2004                     FY 2005\n               AND PAGE(S)        LETTER\n                                                                                               Jan-Mar Apr-Jun Jul-Sep Oct-Dec Jan-Mar Apr-Jun Jul-Sep\n                                             IT Investment Control Process\n                                             Develop controls that require COTR's to\nCIO           #337, p. 9            G        develop statements of work that map to OIT's\n                                             project management methodology\n                                             Establish an integrated project management\n                                             tracking and control process to track, monitor,\nCIO           #337, pp. 9-10        H\n                                             and report the status of contract major cost\n                                             elements\n                                             Implement a performance-based acquistion\nCIO           #337, pp. 10-11       I\n                                             anaysis process\n                                             IT Investment Evaluation Process\n                                             Check investment proposals and business\nCIO           #365, pp. 15-16       S        cases for compliance with guidelines and\n                                             procedures\n                                             Monitor and report monthly on project costs,\nCIO           #365, pp. 15-17       T\n                                             schedules, and performance\nOED           #365, pp. 15-17       U        Tie IT strategic planning to GPRA\n                                             Routinely evaluate IT capital planning process\nOED           #365, pp. 15-17       V        and identify IT capital planning process\n                                             improvements\n                                             Require ITCPC, IOC, and program offices to\nCIO           #365, pp. 17-18       W\n                                             comply with SECR 24-1.6\n                                             Staffing and Resources\nCIO/OED       #365, pp. 18-19       X        Identify performance and resource gaps\n                                             Fund identified performance and resource\n              #365, pp. 18-19\nCIO/OED                             Y        gaps\n\n\n\n\n      IT Capital Investment Decision-Making Follow-Up (Audit 365)                                                   March 29, 2004\n\x0c                                                                                                                                  Page 25\n\n\n\n      AUDIT RECOMMENDATIONS ADDRESSED TO THE CHAIRMAN\n\n\n                APPLICABLE     RECOMMEND-\nRESPONSIBLE                                   RECOMMENDATION TITLE BY MAJOR                   SAMPLE TIMELINE FOR IMPLEMENTING AUDIT\n                REPORT No.        ATION\n  POSITION                                               AREA                                           RECOMMENDATIONS\n                AND PAGE(S)      LETTER\n\n                                                                                                  FY 2004                     FY 2005\n                                                                                           Jan-Mar Apr-Jun Jul-Sep Oct-Dec Jan-Mar Apr-Jun Jul-Sep\n                                            CIO Responsibilities\n                                            Delegate authority to CIO to issue IT policy\nChairman       #365, pp. 8-9       A        and regulations and to implement\n                                            recommendations contained in this report\n\n                                            Approve a process to track CIO progress in\nChairman       #365, pp. 8-9       C\n                                            implementing audit recommendations\n\n\n\n\n           IT Capital Investment Decision-Making Follow-Up (Audit 365)                                         March 29, 2004\n\x0c                                                                                                                                      Page 26\n\n\n\n        AUDIT RECOMMENDATIONS ADDRESSED TO THE CHIEF\n                    INFORMATION OFFICER\n\n               APPLICABLE       RECOMMEND-\nRESPONSIBLE                                    RECOMMENDATION TITLE BY MAJOR                      SAMPLE TIMELINE FOR IMPLEMENTING AUDIT\n               REPORT No.          ATION\n  POSITION                                                AREA                                              RECOMMENDATIONS\n               AND PAGE(S)        LETTER\n\n                                                                                                      FY 2004                     FY 2005\n                                                                                               Jan-Mar Apr-Jun Jul-Sep Oct-Dec Jan-Mar Apr-Jun Jul-Sep\n                                             IT Governance Policies\n                                             Prepare Action Memorandum to modify CFR\nCIO           #365, pp. 8-9         B        to formally delegate authority to issue\n                                             policies/regulations to CIO\n\nCIO           #365, pp 9-10         D        Assess, revise, and reissue IT Strategic Plan\n\n                                             Finalize and publish Commission-wide IT\nCIO           #365, pp 9-10         E\n                                             capital planning and investment control policy\n                                             Jointly develop, approve, and publish ITCPC\nCIO           #365, pp 9-11         F\n                                             charter with OED and ITCPC\n                                             Jointly develop, approve, and publish IOC\nCIO           #365, pp 9-11         G\n                                             charter with the IOC and OED\n                                             Identify all IT planning-related work groups,\nCIO           #365, pp 9-11         H        develop charters, and integrate into IT capital\n                                             planning framework\n                                             IT Investment Selection Process\n                                             Use a single IT investment control process for\nCIO           #365, pp. 11-12       I        approving the Commission's annual IT\n                                             operating budget\n                                             Approve and publish standard IT investment\nCIO           #365, pp. 11-12       J\n                                             selection criteria\n\n                                             Implement and use a documented process to\nCIO           #365, pp. 11-12       K\n                                             score, prioritize, and fund IT investments\n\n                                             Establish and publish IT investment dollar\nCIO           #365, pp. 11-13       L        thresholds requiring business cases, IOC\n                                             review, and ITCPC approval\n                                             Establish and publish business case\nCIO           #365, pp. 11-13       M\n                                             development guidelines\n\n\n\n\n       IT Capital Investment Decision-Making Follow-Up (Audit 365)                                                 March 29, 2004\n\x0c                                                                                                                                       Page 27\n\n\n\n           AUDIT RECOMMENDATIONS ADDRESSED TO THE CHIEF\n                       INFORMATION OFFICER\n\n                                                                                                  SAMPLE TIMELINE FOR IMPLEMENTING AUDIT\n               APPLICABLE       RECOMMEND-                                                                  RECOMMENDATIONS\nRESPONSIBLE                                    RECOMMENDATION TITLE BY MAJOR\n               REPORT No.          ATION\n  POSITION                                                AREA                                        FY 2004                     FY 2005\n               AND PAGE(S)        LETTER\n                                                                                               Jan-Mar Apr-Jun Jul-Sep Oct-Dec Jan-Mar Apr-Jun Jul-Sep\n                                             IT Investment Selection Process\n                                             Develop, publish, and annually update\nCIO           #365, pp. 11-13       N\n                                             program office IT business strategies\n                                             Use program office IT business strategies and\n                                             OIT IT strategic plan when reviewing,\nCIO           #365, pp. 11-13       O\n                                             analyzing, and monitoring IT investment\n                                             portfolio\n                                             IT Investment Control Process\n                                             Establish and use controls for managing\nCIO           #365, pp. 13-14       P        project costs, schedules, and performance\n                                             outcomes\n                                             Regularly review IT project costs and\nCIO           #365, pp. 13-14       Q\n                                             milestones\n                                             Implement the project management\nCIO           #365, pp. 13-15       R        recommendations contained in Audit Report                       See B, E, F, G, H, I below\n                                             No. 337 (see below)\n\n                                             Establish and publish project SDLC migration\nCIO           #337, p. 6            B        checklists and use the checklists as a control\n                                             during project management reviews\n\n                                             Establish a project management SECR and\nCIO           #337, p. 8            E\n                                             enforce the project management procedures\n\n                                             Establish standardized project naming\n                                             conventions, data descriptions, and data\nCIO           #337, p. 9            F\n                                             collection methods to facilitate effective\n                                             project management tracking\n\n                                             Develop controls that require COTR's to\nCIO           #337, p. 9            G        develop statements of work that map to OIT's\n                                             project management methodology\n                                             Establish an integrated project management\n                                             tracking and control process to track, monitor,\nCIO           #337, pp. 9-10        H\n                                             and report the status of contract major cost\n                                             elements\n                                             Implement a performance-based acquistion\nCIO           #337, pp. 10-11       I\n                                             anaysis process\n                                             IT Investment Evaluation Process\n                                             Check investment proposals and business\nCIO           #365, pp. 15-16       S        cases for compliance with guidelines and\n                                             procedures\n                                             Monitor and report monthly on project costs,\nCIO           #365, pp. 15-17       T\n                                             schedules, and performance\n                                             Require ITCPC, IOC, and program offices to\nCIO           #365, pp. 17-18       W\n                                             comply with SECR 24-1.6\n                                             Staffing and Resources\nCIO/OED       #365, pp. 18-19       X        Identify performance and resource gaps\n                                             Fund identified performance and resource\n              #365, pp. 18-19\nCIO/OED                             Y        gaps\n\n\n\n\n          IT Capital Investment Decision-Making Follow-Up (Audit 365)                                               March 29, 2004\n\x0c                                                                                                                                  Page 28\n\n\n\n      AUDIT RECOMMENDATIONS ADDRESSED TO THE EXECUTIVE\n                         DIRECTOR\n\n\n               APPLICABLE       RECOMMEND-\nRESPONSIBLE                                    RECOMMENDATION TITLE BY MAJOR                     SAMPLE TIMELINE FOR IMPLEMENTING AUDIT\n               REPORT No.          ATION\n  POSITION                                                AREA                                             RECOMMENDATIONS\n               AND PAGE(S)        LETTER\n\n                                                                                                     FY 2004                     FY 2005\n                                                                                              Jan-Mar Apr-Jun Jul-Sep Oct-Dec Jan-Mar Apr-Jun Jul-Sep\n\n\n                                             IT Investment Evaluation Process\nOED           #365, pp. 15-17       U        Tie IT strategic planning to GPRA\n                                             Routinely evaluate IT capital planning process\nOED           #365, pp. 15-17       V        and identify IT capital planning process\n                                             improvements\n                                             Staffing and Resources\n\nCIO/OED       #365, pp. 18-19       X\n                                             Identify performance and resource gaps\n                                             Fund identified performance and resource\n              #365, pp. 18-19\nCIO/OED                             Y        gaps\n\n\n\n\n          IT Capital Investment Decision-Making Follow-Up (Audit 365)                                           March 29, 2004\n\x0c                                                                                                                     Page 29\n\n\n\n                                                                                                     APPENDIX D\n\n\n    EXAMPLE OF AN IT INVESTMENT SELECTION PROCESS\n\nThe sample IT investment selection process flow diagram below illustrates the\ndocuments, processes, and decision points that the Commission could adopt and\nimplement to improve its IT investment selection process. The Commission could\nuse a comparable process flow diagram to help develop and validate existing and\nneeded IT investment selection policies and control procedures.\n\n\n\n\n          Selection Phase\n                                                                         CIO/\n          SEC      DIV/OFF             CIO                OIT         CONTRACTOR    IOC                ITCPC\n                                                       IT Strategic\n         GPRA                                        Implementation                             NO\n                  Business\n                                                           Plan\n                  Strategies                    NO\n                                                                                      Meet\n                                                                        Business     Criteria\n                                                                         Cases\n                                                                                   YES\n                                     Prepare\n                                     Business        Infrastructure\n                  Program\n                                      Case               Project\n                   Project                                                         Validate\n                                                       Requests\n                  Requests                                                             &\n                                                                                   Prioritize                  NO\n                               YES\n\n\n                                                                                     List\n                                                                                      to                 Approve\n                                                                                   ITCPC\n\n                                                                                                               YES\n\n\n\n                                                                                                           To\n                                                                                                         Control\n                                                                                                         Phase\n\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)                                       March 29, 2004\n\x0c                                                                                                                         Page 30\n\n\n\n                                                                                                          APPENDIX E\n\n\n     EXAMPLE OF AN IT INVESTMENT CONTROL PROCESS\n\nThe sample IT investment control process flow diagram below illustrates the\ndocuments, processes, and decision points that the Commission could adopt and\nimplement to improve its IT investment control process. The Commission could use\na comparable process flow diagram to help develop and validate existing and needed\nIT investment control policies and procedures.\n\n\n\n\n            Control Phase\n          CIO                OIT                   OAPM           DIV/OFF          IOC          ITCPC        CHAIRMAN\n\n        From Select\n           Phase            Prepare                           Provide Input\n                            Prepare\n                            SOW or                             to SOW or\n                            SOWOrder\n                           Task  or                            Task Order\n         Approved          Task Order              Award\n          Projects                                Contract                        Monitor       Advised       Advised\n                                                  or Issue\n                                                 Task Order\n\n                        Manage Project                         Participate\n                        (Cost, Schedule,                            in\n          Monitor                                               Project\n                         Performance)\n                                                              Management\n\n                      NO                   YES\n         Notified          Deviation\n\n\n                                                                                                              Notified\n                      Status Report\n                                                                                   Mitigate\n                                                                                Project Risks\n                                                                                  and Make\n                                                                                                   Make\n                                   Exception                                      Go No-Go\n                                                                                                    Go\n            Take                    Report                                    Recommendation\n                                                                                                  No-Go\n         Corrective                                                                   to\n                                                                                                 Decisions\n           Action                                                                  ITCPC\n         Based On\n         IOC/ITCPC\n          Direction\n\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)                                        March 29, 2004\n\x0c                                                                                                                           Page 31\n\n\n                                                                                                           APPENDIX F\n\n   EXAMPLE OF AN IT INVESTMENT EVALUATION PROCESS\n\nThe sample IT investment evaluation process flow diagram below illustrates the\ndocuments, processes, and decision points that the Commission could adopt and\nimplement to improve its IT investment evaluation process. The Commission could\nuse a comparable process flow diagram to help develop and validate existing and\nneeded IT investment evaluation policies and control procedures.\n\n\n\n\n        Evaluation Phase\n             CIO                       OED                     OIT            DIV/OFF            IOC           ITCPC\n\n                               From Control\n                                  Phase\n\n        Provide Input\n                                                                                                           Provide Input\n            and                                         Provide Input    Provide Input    Provide Input\n                                                                                                               and\n       Assess Results                                       and              and              and\n                                    Completed                                                             Assess Results\n                                                       Assess Results   Assess Results   Assess Results\n                                     Projects\n\n\n\n\n                                 Conduct\n                                   Post\n                              Implementation\n                                  Review\n\n\n                                                STOP\n\n                                 Process                    Revise            Revise          Revise          Revise\n           Revise             Improvements\n                        YES                       NO      Processes         Processes       Processes       Processes\n         Processes               Needed\n\n\n\n\n                          Revise\n                        Processes\n\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)                                            March 29, 2004\n\x0c                                                                            Page 32\n\n\n\n                                                                  APPENDIX G\n\n OMB CIRCULAR A-11, SECTION 300--PLANNING, BUDGETING,\n  ACQUISITION, AND MANAGEMENMT OF CAPITAL ASSETS\n\nSection 300 of OMB Circular A-11 (2003) is contained on the following pages of this\nAppendix. Section 300 of the Circular contains useful information that could be\nused by the Commission in its efforts to strengthen its processes for selecting,\ncontrolling, and evaluating IT investments and managing the Commission\xe2\x80\x99s portfolio\nof IT investments. We suggest that the Commission use Section 300 of OMB\nCircular A-11 as a guide for establishing IT investment selection criteria and\nquestions to evaluate the merits of IT investments.\n\n\n\n\n   IT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 33\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 34\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 35\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 36\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 37\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 38\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 39\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 40\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 41\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 42\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 43\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 44\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 45\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 46\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 47\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 48\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 49\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 50\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 51\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 52\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 53\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 54\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 55\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 56\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 57\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 58\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 59\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 60\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 61\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 62\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 63\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c                                                                         Page 64\n\n\n\n\nIT Capital Investment Decision-Making Follow-Up (Audit 365)   March 29, 2004\n\x0c"